PCI Compliance and Information Security 101
Security is a major concern for every small business.
In the current network security climate, you should be concerned about the ability of your business to fend off and recover from an attempted hack or security breach.
Most business owners don’t know what steps are necessary to provide even a basic foundation for information security. Fortunately, whether you are a financial institution that is required to be PCI compliant or a small business just that wants to feel that critical data is more secure, there are some simple principles you can follow to minimize your risk and protect your critical data.
Using the requirements for PCI compliance, there are 12 areas to protect, several in particular which apply to every business. Taking the following precautions will assist in bulding a strong frontline defense against attacks and data loss. However, these recommendations are not exhaustive, and you should consult with a certified security expert to assess our overall vulnerability.
Protect your network from the outside – in
A “firewall” separates your internal private network from the outside or public internet. It’s job is to keep the bad guys out. Use a firewall device that offers realtime intrusion detection and prevention to identify threats, actively block them, and notify your IT support tha the attack occurred. Most “off the shelf” routers or firewalls are not sophisticated enough to offer this service, but there are a number of devices that are inexpensive and can provide excellent protection.
Protect your network from the inside – out
Most people don’t think of the threats that can exist inside your network. When a virus or other infection takes hold, it can open up a connection to the outside world from your computer, creating a tunnel for malicious hackers to come in. Your firewall device will prevent this from happening. Part of this protection principal is to always have antivirus software installed that provides a software firewall on your computer as an added layer of defense from both inbound and outbound attacks. This antivirus should be updated at least daily and, ideally, should not allow removal without entering a password.
Protect access to your network
Set up a schedule to scan for wireless access points at least twice per year, looking for access points that bear your name but don’t belong to you. This is a common hacker attempt to trick your users into giving away passwords by trying to login into a fake access point.
Keep areas where network equipment is stored behind lock and key.
Have and observe a strong password policy
In our experience, the opassword is always the weakest link in the security chain. No matter how good your security is, if you use a weak password for your network resources, you will get hacked.
Create passwords that follow these guidelines:
- At least 7 characters long
- Should not contain any words you find in the dictionary
- Should contain 4 types of characters – uppercase letters, lowercase letters, numbers and punctuation
- Passwords should be required to change at least every 60 days
- You should not allow repeating passwords you have used in the past
- The password policy should be written and everyone should be aware that a policy exists, and what it is
Protect your data with layers of redundancy:
Hackers aren’t the only threat to small businesses. Viruses that destroy data are on the rise, and catastrophic data loss can put businesses under faster than any other business disaster.
To protect against data loss, have at least 3 levels of redundancy for your data.
Level 1 – Critical data should be on a RAID array. This is an array of storage disks that act as one volume, so if a drive goes out, the data stays safe and the bad drive can be replaced.
Level 2 – Local physical backups to an external drive or backup server. Have at least 2 drives and rotate them on a schedue so 1 drive is always away from your location while the other is used for backups.
Level 3 – Cloud based backups for your most critical data
Encrypt important data
If your data is important, you should protect it from theft. What would happen if the computer or drive on which your most sensitive information is stored was physically stolen and used to target your customers?
Encryption prevents that by making sure that even if the storage drive is remoed and placed in anotehr computer, the data cannot be read. A password or encryption key would be required for access to the data.
Most operating systems include methods for encrypting critical data, so encryption is usually free and can be done easily.
Follow these principles and you wil be well on your way to protecting your business from threats and data loss.
Need help from a pro? Contact Available Technology at http://available-tech.net or 864-232-1234 and we would be happy to do an assessment of your small business.
Mike Lane, Available Technology Inc
Let me know what you think! Leave comments or contact us @availabletech